2015 PCI DSS Meeting. OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock

Transcription

1 2015 PCI DSS Meeting OSU Business Affairs Projects, Improvement, and Technology (PIT) Robin Whitlock 11/3/2015

2 Today s Presentation What do you need to do? What is PCI DSS? Why PCI DSS? Who Needs to Comply with PCI DSS? What does PCI DSS Compliance Mean? Penalties for Non-Compliance Compliance Life Cycle Goals & Requirements New PCI DSS v3.1 Cardholder Data/Storage What do you have to do? SAQs Resources Questions 2

3 Your to do list by December 11: 1. Verify credit card merchant information on the PCI DSS Status Report and provide updates to Business Affairs 2. Merchant managers complete and sign the Cover Page & SAQ Annual PCI DSS Assessment must be completed for all Merchants 3. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable). This is required if your merchant uses an OST approved 3 rd party vendor other than TouchNet. 4. Business Center Manager or FAM must review and sign 5. Send to Robin Whitlock 3

4 What is PCI DSS? Payment Card Industry Data Security Standards Continuously evolving security best practices for credit card merchants and cardholder data Common set of industry tools and measurements to help ensure the safe handling of sensitive information Provides an actionable framework for developing a robust account data security process including preventing, detecting and reacting to security incidents ( Administered by the PCI Security Standards Council, which was founded by the major credit card companies (VISA, MC, Discover ) 4

5 Why PCI DSS? 154 breaches of sensitive information to date in 2015 (affecting >153 million records) 1 Notable retail breaches since November Target Home Depot Staples Kmart Albertsons Michaels Neiman Marcus ebay PF Changs UPS Stores Aaron Brothers Goodwill Supervalu Dairy Queen CVS 1 Privacy Rights Clearinghouse, 10/26/15 2 Cyber Attacks on US Companies in 2014, by Riley Walters, 5

6 Who Needs to Comply with PCI DSS? Applies to all entities that store, process or transmit cardholder data (merchants, payment card issuing banks, processors, developers ) That means you! Compliance is mandatory (ecommerce Policy, Oregon State Treasury,PCI DSS). Merchant Managers are responsible for merchant compliance: Attestation I understand that each merchant has fiscal and data security responsibility for proper use of the Merchant ID. I further understand that failure by the merchant to abide by PCI standards could result in fines to the University and/or loss of Merchant ID. To the best of my knowledge, this cover sheet and the information in the attached PCI SAQ (if applicable) accurately represents the operations, procedures, and practices of the Merchant ID's listed above. (Payment Card Industry Data Security Standards Annual Assessment Cover Page). 6

7 What does PCI DSS Compliance Mean? In security terms, it means that your business adheres to the PCI DSS requirements for security management, policies, procedures, network architecture, software design and other critical protective measures. In operational terms, it means that you are playing your role to make sure your customers' payment card data is being kept safe throughout every transaction, and that they and you can have confidence that they're protected against the pain and cost of data breaches. ( 7

8 Penalties for Non-Compliance Fines of $50-$90 per cardholder data compromised Non-compliant merchants are penalized by acquiring banks Revocation of merchant credit card acceptance Loss of customers Loss of reputation Possible civil litigation from breached customers Juntoblog, Sorting Out the Consequences of PCI Data Security Noncompliance, 10/26/15 8

9 Compliance Life Cycle Pre- Assessment / Gap Analysis Implement / Remediate PCI:DSS Validation Ongoing Compliance Monitoring On-going process, not a one-time event 9

10 PCI DSS Goals & Requirements Goal Requirement 1. Build and Maintain a Secure Network 1. Install and maintain a firewall configuration to protect cardholder data 2. Do not use vendor-supplied defaults for system passwords and other parameters 2. Protect Cardholder Data 3. Protect stored cardholder data 4. Encrypt transmission of cardholder data across open, public networks 3. Maintain a Vulnerability Management Program 4. Implement Strong Access Control Measures 5. Regularly Monitor and Test Networks 6. Maintain an Information Security Policy 5. Use and regularly update anti-virus software 6. Develop and maintain secure systems and applications 7. Restrict access to cardholder data by business need-toknow 8. Assign a unique ID to each person with computer access 9. Restrict physical access to cardholder data 10. Track and monitor all access to network resources and cardholder data 11. Regularly test security systems and processes 12. Maintain a policy that addresses information security 10

11 Digital Dozen Requirements by SAQ A X X A-EP X X X X X X X X X X X X B X X X X X B-IP X X X X X X X X X X C X X X X X X X X X X X X D X X X X X X X X X X X X SAQs A-EP and B-IP are new 3.0/3.1 SAQs Requirement 10 is new to SAQ C with

12 What s New: PCI DSS v3.1 PCI DSS was updated from v2.0 to v3.1 Focus is on incorporating PCI DSS requirements into day-to-day activities, not just a once-a-year assessment. More requirements across the board Changes to SAQs Incorporation of new/changed requirements Expected testing added Format updates New SAQs: A-EP, B-IP Updated eligibility criteria for existing SAQs 12

13 What is Cardholder Data? Primary Account Number (PAN) Expiration Date Cardholder Name Chip/Magnetic Strip Data CAV2/CVC2/CVV2 13

14 PCI Data Storage Cardholder Data Sensitive Authentication Data [4] Data Element Storage Permitted Protection Required Primary Account Number (PAN) Yes Yes Cardholder Name [3] Yes Yes [3] Expiration Date [3] Yes Yes [3] Full Magnetic Strip Data [5] No N/A CAV2/CVC2/CVV2 No N/A 1.BEST PRACTICE: DO NOT STORE CARDHOLDER DATA. 2.NEVER store using electronic media, for example database or spreadsheet. 3.These data elements must be protected if stored in conjunction with the PAN. 4.Sensitive authentication data must not be stored after authorization (even if encrypted). 5.Magnetic stripe or chip. 14

15 What do we have to do? Level/ Tier Merchant Criteria Validation Requirements 1 Merchants processing over 6 million Visa transactions annually (all channels) 2 Merchants processing 1 million to 6 million Visa transactions annually (all channels) 3 Merchants processing 20,000 to 1 million Visa e-commerce transactions annually 4 Merchants processing less than 20,000 Visa e-commerce transactions annually and all other merchants processing up to 1 million Visa transactions annually Annual Report on Compliance by Qualified Security Assessor ( QSA ) Quarterly network scan by Approved Scan Vendor ( ASV ) Attestation of Compliance Form Annual Self-Assessment Questionnaire Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV Attestation of Compliance Form Annual SAQ Quarterly network scan by ASV if applicable Requirements set by acquirer 15

16 Annual PCI DSS Assessment Documents Documents due by December 11, 2015: 1. OSU Cover Page 2. Self Assessment Questionnaire (SAQ A-D Appropriate to merchant) 3. 3 rd Party PCI DSS Certificate of Compliance (if applicable) 16

17 Self Assessment Questionnaire (SAQ) Completed by the merchant manager Subset of full requirements Broken down by Goals & Requirements Made up of Yes / No / Not Applicable responses NA or Compensating Control - must be explained No- Must have Remediation Date and Actions Attestation Section Fill out the Merchant Version Do not complete the Service Provider Version Details will be covered in break-out sessions 17

18 Which SAQ? See PCI DSS Status Report for your merchant SAQ # Questions ASV Scan? Pen Test? Description A 14 No No Card-not-present (e-commerce or mail/telephone-order) merchants, all cardholder data functions outsourced. Not applicable to face-toface merchants. A-EP 139 Yes Yes E-commerce merchants who outsource all payment processing and have a website that does not directly receive cardholder data but can impact security of the payment transaction. Not applicable to face-toface merchants. B 41 No No Imprint-only merchants with no electronic cardholder data storage, or standalone, dial-out terminal merchants with no electronic cardholder data storage. Terminals not IP-connected. B-IP 83 Yes No Merchants with standalone, IP-connected point of sale terminals. C 139 Yes Yes Merchants with payment application systems connected to the Internet, no electronic cardholder data storage. D 326 Yes Yes All other merchants not included in descriptions for SAQ types A through C above, and all service providers defined by a payment brand as eligible to complete an SAQ. Source: PCI Compliance Guide, "New! More! A First Look at the PCI DSS 3.0 SAQs" 18

19 Multiple Merchant Consolidation Multiple merchants can be combined into a single submittal if: 1. The merchant IDs (MIDs) are of the same type (i.e. all POS, Web ) 2. All merchants are managed by same merchant manager 3. The same policies and procedures apply to all merchants 4. Strictest SAQ will apply (the one with the most questions) 5. List all merchants on cover page 19

20 Misconceptions Self assessment means you re compliant Compliance means you won t suffer a breach Outsourcing takes away your need for compliance PCI:DSS is just about IT A single product can make you compliant Compliance can be automated 20

21 SAQ Review Sessions Line-by-line review of PCI DSS 3.1 SAQs OSU-specific information Changes from version 2.0 to 3.1 Schedule: SAQ A: 11/4/15 10:00AM SAQ B: 11/4/15 11:00AM SAQ B-IP: 11/9/15 9:00AM SAQ C: 11/9/15 11:00AM 21

22 Your to do list by December 11: 1. Verify credit card merchant information on the PCI DSS Status Report and provide updates to Business Affairs 2. Merchant managers complete and sign the Cover Page & SAQ Annual PCI DSS Assessment must be completed for all Merchants 3. Obtain 3rd Party PCI DSS Certificate of Compliance (if applicable) This is required if your merchant uses an OST approved 3 rd party vendor other than TouchNet. 4. Business Center Manager or FAM must review and sign. 5. Send to Robin Whitlock Electronic submission is preferred. 22

23 Resources Copies of your last assessment can be ed to you on request Annual PCI Compliance for OSU Credit Card Merchants web site: Status Report by Business Center Forms: Cover Page and SAQ OSU-specific SAQ instructions Other supporting documents 23

24 Thank You Robin Whitlock Business Affairs Contact